The Kali365 phishing kit has expanded beyond Microsoft 365 to target multiple cloud and identity platforms, including AWS and Okta.
The platform abuses device code phishing workflows by tricking victims into completing legitimate OAuth authorization requests.
Successful attacks can bypass MFA protections because victims complete the authentication process on behalf of the attacker.
Organizations should monitor OAuth activity, review device code authorization usage, strengthen conditional access controls, and improve visibility into suspicious identity and endpoint behavior.
The Kali365 phishing kit has expanded beyond its original focus on Microsoft 365, with researchers observing attacks targeting AWS, Okta, Xerox DocuShare, MAX Messenger, GMX, Mail.ru, Yandex Disk, and Odnoklassniki. The expansion highlights how attackers are increasingly targeting cloud identities and authentication workflows rather than relying solely on credential theft.
Unlike traditional phishing campaigns that steal usernames and passwords, Kali365 uses device code phishing to abuse legitimate OAuth authentication processes. Victims are tricked into completing a valid sign-in flow, resulting in OAuth access tokens being issued to an attacker-controlled session.
The broader targeting suggests that device code phishing is no longer limited to Microsoft-centric environments. As organizations continue to adopt cloud applications, SSO platforms, and federated identity services, OAuth token theft and identity-focused attacks are becoming increasingly important considerations for security teams.
The Kali365 phishing kit uses device code phishing to abuse the OAuth Device Authorization Grant workflow. This authentication method is commonly used by devices with limited input capabilities, such as smart TVs, IoT devices, and printers, where entering credentials directly may not be practical.
In a legitimate workflow, a user receives a device code and completes authentication through a trusted login portal. Once approved, the requesting device receives OAuth tokens that allow access to authorized resources.
Kali365 operators exploit this process by generating legitimate device authorization requests and convincing victims to complete them on the attacker’s behalf.
Attack flow -
The attacker initiates a legitimate device authorization request for a targeted cloud service.
The victim receives a phishing lure with instructions to enter a provided device code.
The victim opens a legitimate authentication page operated by the service provider.
The victim completes authentication and any required MFA challenge.
OAuth access tokens are issued to the attacker-controlled session.
The attacker gains access to the targeted service without collecting the victim’s password.
Why MFA Does Not Stop the Attack
Many traditional phishing attacks attempt to steal credentials or MFA codes. In device code phishing, the victim completes the authentication process and approves the authorization request themselves.
As a result, the identity provider issues valid OAuth tokens through a legitimate workflow. The attacker gains access without intercepting credentials or MFA codes, making OAuth token theft difficult to detect through credential-focused defenses.
Kali365 Expands Beyond Microsoft 365
Earlier reporting primarily associated Kali365 with Microsoft 365-targeted campaigns. Recent research from Arctic Wolf indicates that the platform has expanded its targeting to include a broader set of cloud and identity services.
Reported targets include AWS, Okta, Xerox DocuShare, MAX Messenger, GMX, Mail.ru, Yandex Disk, and Odnoklassniki.
Researchers also identified approximately 126 active malicious hosts associated with the infrastructure during May. The findings suggest Kali365 is expanding beyond Microsoft 365 and appears to be adapting to services that rely on OAuth-based authentication.
Phishing-as-a-Service Capabilities
Kali365 also reflects the growing sophistication of phishing-as-a-service platforms. According to public reporting, the service includes AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and OAuth token capture capabilities.
These features reduce the technical expertise required to launch identity-focused attacks and allow operators to scale campaigns more efficiently. For defenders, Kali365 reinforces the need to monitor authentication workflows, OAuth activity, and token usage alongside traditional credential-based attack indicators.
Cybersecurity essentials for any organization
Core cybersecurity essentials for protecting data, devices, and operations.
Operational Summary
Component
Details
Threat Type
Phishing-as-a-Service (PhaaS)
Primary Technique
Device code phishing
Target Asset
Cloud identities and OAuth access tokens
Authentication Impact
MFA protections can be circumvented when users complete the authentication process
Reported Targets
Microsoft 365, AWS, Okta, Xerox DocuShare, and other reported services
Attacker Objective
OAuth token theft and unauthorized account access
Risk and Operational Impact
The expansion of the Kali365 phishing kit highlights how attackers are increasingly abusing authentication workflows rather than relying solely on credential theft. For organizations that rely on cloud services and centralized identity platforms, this creates new challenges around token security and access control.
Device Code Phishing Changes the Threat Model
Unlike traditional phishing attacks, device code phishing abuses legitimate authentication workflows to obtain authorized access tokens, reducing the effectiveness of credential-focused defenses.
OAuth Token Theft Can Expand Access
A successful compromise can provide access to cloud resources associated with the affected account, depending on the permissions granted to that identity.
Legitimate Authentication Can Hinder Detection
Victims authenticate through legitimate login portals and may complete valid MFA challenges when required, making malicious activity difficult to distinguish from normal user behavior.
Featured resource
Hexnode XDR Info Sheet
Gain actionable threat intelligence and streamline security response through unified endpoint visibility.
Organizations should review how device authorization workflows are used within their environment and determine whether the device code flow is required for business operations. As identity-focused attacks continue to evolve, security teams should focus on strengthening visibility into authentication activity and reducing opportunities for unauthorized token issuance.
Recommended actions include:
Monitor unusual device authorization requests and OAuth consent activity.
Review conditional access policies for high-risk applications.
Restrict access from unmanaged or non-compliant devices where appropriate.
Implement phishing-resistant authentication methods such as FIDO2 security keys.
Establish procedures for rapid OAuth token revocation during incident response.
Hunt for suspicious token usage, anomalous sign-in activity, and unexpected cloud application access.
Organizations should also ensure security awareness programs address device code phishing techniques, which differ from traditional credential-harvesting attacks.
How Hexnode Can Help
While Kali365 focuses on identity abuse rather than endpoint exploitation, endpoint visibility remains important during investigation and response. Hexnode can help organizations enforce device compliance requirements and improve visibility into the security posture of managed devices across the environment.
Hexnode XDR can help security teams investigate suspicious activity by correlating endpoint telemetry, security events, and threat data through a unified detection, investigation, and response workflow.
Conclusion
The Kali365 phishing kit highlights how attackers are increasingly abusing legitimate authentication workflows to facilitate OAuth token theft and unauthorized access. As the Kali365 phishing kit expands beyond Microsoft 365, organizations should pay closer attention to identity activity and token-based threats.
Reducing risk requires layered controls, including identity monitoring, phishing-resistant authentication, conditional access policies, and endpoint visibility to support faster detection and response.
Strengthen visibility across every endpoint
Start a free trial to experience unified threat detection and investigation workflows.
How is device code phishing different from traditional phishing?
Traditional phishing campaigns attempt to steal usernames, passwords, or MFA codes. Device code phishing abuses legitimate authentication workflows, allowing attackers to obtain authorized OAuth tokens without directly collecting user credentials.
Can password resets stop OAuth token-based attacks?
Not always. If valid OAuth tokens have already been issued, attackers may retain access until the affected tokens expire or are revoked. Organizations should include token revocation procedures in their incident response plans.
What should security teams monitor to detect device code phishing activity?
Security teams should monitor unusual device authorization requests, OAuth consent activity, anomalous sign-in behavior, and unexpected access to cloud applications. Correlating identity, endpoint, and cloud telemetry can improve detection and investigation efforts.
A storyteller for practical people. Breaks down complicated topics into steps, trade-offs, and clear next actions—without the buzzword fog. Known to replace fluff with facts, sharpen the message, and keep things readable—politely.
